REVOKE|V4.6.0|OceanBase Database| docs|Distributed Database

REVOKE

Last Updated：2026-05-07 11:26:25 Updated

Purpose

This statement is used to revoke privileges previously granted to a user or role, or to revoke a role from a user or role.

Limitations and considerations

Revoking object privileges does not cascade. For example, if user user1 grants certain privileges to user2, revoking user1's privileges will not also revoke the corresponding privileges from user2.
The user or role whose privileges are being revoked must exist; otherwise, an error will be returned.
Roles specified in the system variable mandatory_roles cannot be revoked.
The execution of the REVOKE statement takes effect immediately for the currently logged-in user.

Privilege requirements

Revoke specific privilege level privileges: The user must have the privilege being revoked (e.g., user1 must have the SELECT privilege on table t1 to revoke user2's SELECT privilege on t1), and must also have the GRANT OPTION privilege.
Revoke all privileges and grant option: When revoking ALL PRIVILEGES and GRANT OPTION, the current user must have the global GRANT OPTION privilege, or the UPDATE and DELETE privileges on the privilege table.
Revoke role privileges from a user or role: To successfully revoke a role, the current user must have the role being revoked and the ADMIN OPTION privilege.

For more information about privileges in OceanBase Database, see Privilege classification in MySQL mode.

Syntax

Revoke object privileges from a user or role

revoke_stmt1:
    REVOKE grant_privileges ON priv_level FROM user_or_role_list;

revoke_stmt2:
    REVOKE ALL [PRIVILEGES], GRANT OPTION FROM user_or_role_list;

revoke_stmt3:
    REVOKE [IF EXISTS] role_name_list FROM user_or_role_list [IGNORE UNKNOWN USER];

grant_privileges:
    priv_type_list
    | ALL [PRIVILEGES]

priv_type_list:
    priv_type[(column_name_list)] [, priv_type[(column_name_list)] ...]

column_name_list:
    column_name [, column_name ...]

priv_level:
    *.*
    | db_name.*
    | db_name.table_name
    | CATALOG external_catalog_name
    | LOCATION location_name

user_or_role_list:
      user_or_role [, user_or_role ...]

user_or_role:
    user_name | role_name

role_name_list:
    role_name [, role_name ...]

Parameters

Parameter	Description
revoke_stmt1	The SQL statement to revoke specific privilege level privileges from a user or role.
revoke_stmt2	The SQL statement to revoke all privileges and the grant option from a user or role.
revoke_stmt3	The SQL statement to revoke a role from a user or role.
grant_privileges	Specifies the type of privilege to revoke. This can be a list of specific privilege types or all privileges except `GRANT OPTION`.
priv_type_list	Specifies a list of specific privilege types. When revoking multiple privileges, separate them with commas (`,`).
priv_type	Specifies a specific privilege type. For more information about specific privilege types, see Privilege classification in MySQL mode. Note: The PROXY parameter is only recorded in the syntax for the current version and does not take effect.
column_name_list	Optional. Specifies a list of column-level privileges to revoke from a table. If not specified, the privileges for the entire table or object are revoked.
ALL [PRIVILEGES]	Specifies all privileges except `GRANT OPTION`.
priv_level	Specifies the privilege level. For more information about the specific values of the privilege level, see priv_level.
user_or_role_list	Specifies a list of users or roles from which to revoke privileges. When revoking privileges from multiple users or roles, separate the user and role names with commas (`,`).
user_name	Specifies the user name.
role_name	Specifies the role name.
IF EXISTS	Optional. If the specified role does not exist and the `IF EXISTS` option is used, a warning is issued instead of an error message.
role_name_list	Specifies a list of roles to revoke. When revoking multiple roles, separate the role names with commas (`,`).
IGNORE UNKNOWN USER	Optional. If the grantee (user or role) does not exist and the `IGNORE UNKNOWN USER` option is used, a warning is issued instead of an error message.
proxy	The syntax for this keyword is recorded in the current version, but the feature does not take effect.

priv_level

*.*: All tables in all databases.

Example:

Revoke the global SELECT and INSERT privileges from users user001 and user002.
```
REVOKE SELECT, INSERT ON *.* FROM user001, user002;
```
db_name.*: All tables in the specified database. db_name is the name of the specified database.

Example:

Revoke the insert privilege on all tables in the test database from user user003.
```
REVOKE INSERT ON test.* FROM user003;
```
db_name.table_name: A specific table in a specific database.

Example:

Revoke the SELECT privilege on the tbl2 table in the test database from user user003.
```
REVOKE SELECT ON test.tbl2 FROM user003;
```
CATALOG external_catalog_name: A catalog in the specified catalog.

Example:

Revoke the USE CATALOG privilege on the test_odps_catalog catalog from user user004.
```
REVOKE USE CATALOG ON CATALOG test_odps_catalog FROM user004;
```
LOCATION location_name: A location object.

Note

For OceanBase Database V4.4.x, the REVOKE statement supports the LOCATION parameter and the corresponding READ and WRITE privileges starting from V4.4.1.

Example:

Revoke the READ privilege on the test_location_local location from user user005.
```
REVOKE READ ON LOCATION test_location_local FROM user005;
```

Examples

Example 1: Revoke object privileges

Revoke the SELECT privilege from user test_user001 and check which privileges are granted by ALL PRIVILEGES.

Grant the ALL PRIVILEGES privilege to user test_user001.
```
GRANT ALL PRIVILEGES ON *.* TO test_user001;
```

View the privileges granted to user test_user001.

SHOW GRANTS FOR test_user001;

The returned result is as follows:

+-----------------------------------------------+
| Grants for test_user001@%                     |
+-----------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'test_user001' |
+-----------------------------------------------+
1 row in set

Revoke the SELECT privilege from user test_user001.
```
REVOKE SELECT ON *.* FROM test_user001;
```

View the privileges granted to user test_user001 again.

SHOW GRANTS FOR test_user001;

The returned result is as follows:

+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for test_user001@%                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALTER, CREATE, CREATE USER, DELETE, DROP, INSERT, UPDATE, INDEX, CREATE VIEW, SHOW VIEW, SHOW DATABASES, SUPER, PROCESS, CREATE_SYNONYM, REFERENCES, FILE, ALTER TENANT, ALTER SYSTEM, CREATE RESOURCE POOL, CREATE RESOURCE UNIT, REPLICATION SLAVE, REPLICATION CLIENT, DROP DATABASE LINK, CREATE DATABASE LINK, EXECUTE, ALTER ROUTINE, CREATE ROUTINE, CREATE TABLESPACE, SHUTDOWN, RELOAD, CREATE ROLE, DROP ROLE, TRIGGER ON *.* TO 'test_user001' |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set

Example 2: Revoke all privileges from a user

Revoke all privileges from user test_user002.

REVOKE ALL PRIVILEGES, GRANT OPTION FROM test_user002;

Example 3: Revoke a role from a user or role

Revoke role role001 from role role002.
```
REVOKE role001 FROM role002;
```
Revoke role role001 from user user001.
```
REVOKE role001 FROM user001;
```

OceanBase

Customer Stories

Documentation